Threat Description

Swicer

Details

Summary

Swicer is a very intrusive adware/spyware software. It installs itself as Internet
Explorer plugin and keeps showing popups and downloads executable files from LOP.COM
website.

Removal

Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

Detailed instructions for F-Secure security products are available in the documentation found in the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for further assistance.

Technical Details

Usually Swicer downloader is dropped to computers from certain webpages if Internet
Explorer is used to view them. Then the downloader is activated and it hiddenly downloads
and activates main Swicer components. These components are packed inside a single
executable file - dropper. When run, this dropper unpacks a few GIF image and one
HTML file with random names into Windows folder and then drops the Internet Explorer
plugin with a random name into Application Data folder of a current user. So when
IE is opened next time, the plugin is activated and a there appears a blue searchbar
with several buttons in IE interface. However sometimes the plugin fails to activate.

The plugin shows popups and at some point can open webpages that contain more adware
components. To our knowledge there are no uninstallation instructions for Swicer adware
available from its manufacturer, so we are providing manual disinfection instructions
below.

To get rid of Swicer adware please go to the following folder with your Windows Explorer
(by default this folder is on C: drive):

\Documents and Settings\\Application Data\

where &lt;current_user&gt; is your user name (the name that you log in to your computer,
without brackets). In that folder there should be a single DLL file with a random
name and about 510-530 kilobytes in size. Please close your Internet Explorer and
delete that DLL file. Then the adware problem should be solved.

Also it is recommended to delete the following folder that is used by Swicer adware
to download additional components:

\Documents and Settings\\Local Settings\Temp\delete.me

where &lt;current_user&gt; is your user name (the name that you log in to your computer,
without brackets).

Detection

Detection for this adware was published on December 2nd, 2003 in the following F-Secure
Anti-Virus updates:

Detection Type: PC
Database: Version-2003-12-02_01

Description Details: Alexey Podrezov, February 23rd, 2004;

SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis